In addition to #357, Flask-Security gives attackers hints to whether the username or password is invalid. Even if you change SECURITY_MSG_USER_DOES_NOT_EXIST and SECURITY_MSG_INVALID_PASSWORD to use ambiguous wording, talking to the login view via JSON (for example) will still give hints whether the email or password is incorrect.

For an invalid password, the response looks like:

{'meta': {'code': 400},
 'response': {'errors': {'password': ['Invalid username or password']}}}

And a non existent user:

{'meta': {'code': 400},
 'response': {'errors': {'email': ['Invalid username or password']}}}